Improved Secure and Lightweight Authentication Scheme for Next-Generation IoT Infrastructure

the


Introduction
In recent years, the Internet of ings (IoT) [1][2][3][4] has become popular in our everyday life. IoT refers to the real-time collection of any information that needs to be monitored, connected, and interacted with through the use of various devices and technologies such as sensors, radio frequency identification technology, global positioning system, and laser scanners. In the IoT environment, every object (virtual or physical) can be perceived, identified, accessed, and interconnected in a dynamic, ubiquitous network through the Internet. IoT brings great convenience to our lives. Vehicular ad hoc networks [5,6] are considered to be one of the most promising applications of IoT. ey allow people, vehicles, and roadside units to cooperate closely. IoT is also applied to medical healthcare, which is also closely related to our lives. rough the use of IoT, medical healthcare environments have taken on a new look. In an IoT-enabled healthcare system [7][8][9], wearable sensors can be used to collect information about patients and the surrounding environment. Another example of an IoT application is the smart home [10,11]. Smart homes improve people's lifestyles and make them more comfortable, safer, and more efficient. In addition, the cloud system based on IoT can help the national government manage some resources to a great extent. e management data through the cloud system greatly reduces human resources and greatly improves the utilization rate of resources. ese advantages are mainly based on the principle of the cloud-based Internet of ings.
e application of such technology supports legitimate users to access normal data from hospitals, homes, borders, and other areas, which can better manage data to a certain extent.
Because IoT has grown so seamlessly, many end users are ignorant of the existence of these devices. Due to their invisibility, IoT device security is crucial, yet challenging to manage. Several IoT networks have recently been taken over to carry out malicious attacks. For these reasons, addressing these IoT security challenges is critical to their successful development. However, there has been a significant expansion in the number of IoT devices. Designing security mechanisms for all of these devices is complicated due to the heterogeneity and complexity of IoT networks.
For an IoT network to be secure, all the entities (servers, end users, and devices) must mutually authenticate their identities. In addition, all communication should be encrypted to maintain data confidentiality. is means that a common session key for both sides of the communication is required. erefore, designing a secure and efficient authenticated key agreement (AKA) scheme is crucial [12][13][14][15].
Various AKA schemes for IoT have been proposed. In 2004, Kumari et al. [16] found that Chang et al.'s scheme [17] is vulnerable to offline password-guessing attacks, internal attacks, and server masquerading attacks. ey also pointed out that the protocol [17] has security vulnerabilities during the password update phase. To overcome these security weaknesses, Kumari et al. designed an improved scheme. Kumari et al. claimed that their scheme is more secure, more efficient, and more suitable for real-life IoT network use. However, Kaul and Awasthi [18] discovered that Kumari et al.'s protocol [16] is still vulnerable to some attacks. In their scheme, attackers can easily capture some security parameters transmitted on a public channel and then calculate the session key. In response to this, Kaul and Awasthi [18] proposed a robust and secure user authentication protocol based on resource-friendly symmetric cryptographic primitives. Unfortunately, Rana et al. [19] proved that the protocol [18] cannot resist various types of attacks. erefore, they proposed a secure, lightweight AKA scheme for next-generation IoT infrastructure.
In this study, however, we found that Rana et al.'s scheme [19] is still vulnerable to offline password-guessing attacks and privileged-insider attacks. In their scheme [19], an illegal insider or malicious attacker can calculate the session key or guess passwords if they can capture a user's smart card. erefore, we propose a new AKA scheme. In the proposed scheme, we utilize the biological information of the users because it is difficult for attackers to obtain this information. To demonstrate that the proposed scheme is indeed secure, we analyze it using Burrows-Abadi-Needham (BAN) logic [20] and also show that it is secure against various types of attacks. Compared with the previous scheme, the proposed scheme has better performance in terms of memory overhead. e remainder of this paper is organized as follows. In Section 2, we briefly review the scheme proposed by Rana et al. [19]. Section 3 demonstrates that Rana et al.'s scheme [19] is vulnerable to offline password-guessing attacks and privileged-insider attacks. Our proposed scheme is described in Section 4. Sections 5 and 6 provide security and performance analyses and comparisons. Finally, Section 7 concludes the paper.

Review of Rana et al.'s Scheme
In this section, we briefly review Rana et al.'s AKA scheme. eir scheme contains three phases: user registration, login, and authentication, and the steps of their scheme are described below. Notations used in this paper are listed in Table 1.

User Registration Phase.
(1) First, the user U c selects their own identification ID c , password PW c , and an arbitrary number b. en, the following is calculated: and ID c , RPW c is transmitted to the server through a secure channel. (2) After the server receives the information from the user, it selects an arbitrary number y c and calculates (3) en, the server stores the parameters β c , c c , χ c , DI D c , h(·) in the smart card memory and sends them to the user U c through a secure channel. (4) Finally, the user calculates and stores η c in the smart card. Now, the smart card contains parameters β c , c c , χ c , η c , DI D c , h(·) .

Login Phase.
When a registered user wants to log in to the system, they perform the following operations: (1) User U c enters their ID c ′ and PW c ′ and inserts the smart card (2) e smart card reader extracts parameters m � η c ⊕h(ID c ′ ⊕PW c ′ ) and RPW c ′ � h(m ‖ PW c ′ ) (3) Further, the smart card reader can extract parameters α c ′ � β c ⊕h(ID c ′ ⊕RPW c ′ ) and y c ′ � c c ⊕h (α c ′ ⊕RPW c ′ ) and calculate If χ c ′ � χ c , it means that the legitimate user is allowed to log in; otherwise, the login is refused (4) After verifying the legitimacy of the user, the reader calculates e reader then sends the login request DI D c , ω c , ] c , T 1 to the server through a secure channel.

Authentication Phase.
In this phase, the smart card reader and server authenticate each other by performing the following steps: (1) S first verifies the validity of the timestamp by calculating T 2 -T 1 . If the calculated value is less than the given threshold δT, the login request proceeds; otherwise, it is rejected.
(2) After that, S extracts and calculates ID c ′ using (ID c ′ ‖ y c ) � Dec ds (DI D c ) and then calculates the values: en, S verifies the validity of the login by comparing the calculated ] c ′ with the stored ] c . If the two are equal, the verification passes; otherwise, the verification fails and the server refuses to accept the login request.
(3) After verifying the correctness of ] c , the server continues to calculatez en, S sends the calculated μ c and timestamp T 2 to U. (4) When U receives the information from the server, it first verifies the validity of T 2 and then calculates U checks whether μ c ′ is equal to μ c . If so, S is successfully verified. (5) Finally, after mutual verification, the session key SK can be calculated:

Cryptanalysis of Rana et al.'s Scheme
In this section, we first describe the threat model. en, we show that Rana et al.'s scheme is insecure against offline password-guessing attacks and privileged-insider attacks.

reat Model.
is threat pattern shows the capabilities of an adversary, which are also considered and discussed in [21,22]. A ′ s capabilities are as follows: (1) A can perform complete access control on the transmission channel. It can block, change, remove, replay, and hinder the messages passed between participants through a public channel. (2) A can get the information stored in the smart card using power analysis [23,24]. (3) A can obtain the information in the smart card and the information transmitted by the user on the secure channel during the registration process [25]. (4) A can simultaneously obtain the information in the smart card and perform offline password guessing as stated in [26,27]. (5) A can know any two of the user's password, smart card, and biological information. (6) A can obtain the session key that the user communicated with the server before. (7) A can register as a legitimate user in a legitimate way.
(4) Finally, A obtains the session key SK according to the value of α c and y c calculated above:

Privileged-Insider Attack.
(1) First, the attacker A steals the smart card and gets the information (2) en, privileged insiders can obtain the information ID C and RPW c of legitimate users during registration (3) A can calculate the following parameters by using the information β c obtained in the smart card and the information ID C and RPW c obtained during user registration: (4) Finally, the attacker can calculate the session key SK according to the above parameters:

Proposed Scheme
In this section, we describe the specific process of the protocol and the overall architecture diagram. e main body of the protocol includes users and servers. e agreement consists of four phases: user registration, login, authentication, and password change. Figure 1 illustrates the architecture of the proposed protocol. User represents the main participant in the communication, and server represents the entity that communicates with the user. Figure 2 illustrates the user registration phase. e detailed steps are as follows:

User Registration Phase.
(1) First, U c selects their ID c , password PW c , and bio information R i , as well as an arbitrary number m, to calculate en, ds is used to encrypt ID c , with the result: U c then transmits DI D c , BRPW c to S through a secure channel. (2) After receiving the information from U, S selects an arbitrary number y c to decrypt DI D c , obtains the value of ID c , and then calculates (3) Finally, the calculated parameters β c , c c , χ c , DI D c , h(·) are stored in the smart card, and S sends the smart card to U through a secure channel. U calculates η c after receiving the message: en, η c is saved in the smart card, and the registration process of the user is complete.

Login Phase.
(1) U enters their own ID c ′ , PW c ′ , and bio information R i . (2) After inputting the information, calculate en, verify whether χ c ′ and χ c are equal. If they are equal, the verification passes; otherwise, the login request sent by U to S is rejected.
(3) If the verification passes, the reader will calculate en, the login request DI D c , ω c , υ c , T 1 is sent to the server.

Authentication Phase.
is section describes the process of mutual authentication between S and U. After the user sends the login request to the server, the server starts to verify whether U is legitimate by calculating a series of parameters, and U verifies the validity of S by calculating the values of some parameters. e authentication process is described in detail below. e login phase and authentication phase are shown in Figure 3.
(1) After S receives the request from U, it first verifies whether the present timestamp is reasonable. It then decrypts DI D c to obtain ID c and calculates S verifies whether υ c ′ and υ c are equal. If not, S rejects the login request from U. If equal, S receives the login request from U and then calculates the session key of both sides: (2) After calculating the session key, S continues to calculate en, S passes μ c , T 2 to U (3) After receiving the message from S, the user first verifies the validity of the timestamp T 2 and then calculates U verifies whether μ c ′ is equal to μ c . If it is equal, U calculates the session key: Here, the authentication process for U and S is completed.

Password Change Phase.
If U wants to change their password PW c to PW N c , the following steps are performed: (1) U first inserts their own smart card and enters their ID c , current password PW c , bio information R i , and new password PW N c .

User User
Register Server Internet Figure 1: Network architecture.

Smart card SC c
Select an arbitraty number y c  (2) According to some parameter values in the smart card and their own identity information, the following are calculated:

Security and Communication Networks
If the calculated value of χ c ′ is equal to the value of χ c stored in the smart card, the user is considered legitimate and allowed to change the password. (3) Some parameter values need to be updated in the process of password modification. e specific calculation process is as follows: (4) Finally, the values β c , c c , χ c , η c stored in the smart card are updated to the modified values β N c , c N c , χ N c , η N c , and the process of password modification is completed.

Formal Security Analysis.
Burrows-Abadi-Needham (BAN) logic [20] has been used in several studies to prove whether a protocol can be executed securely. is section uses BAN logic to prove the security and reliability of our proposed protocol. is proof verifies that our protocol can successfully establish and share a session key between the user and server. In the following proof, U represents the user and S represents the server. e specific proof rules and process are as follows:

Detailed Steps.
By considering the message M1 and using the seeing rule, we get S1: S⊲ 〈ID c 〉 ds , 〈α c , y c 〉 ds , T 1 . Using S1, we get S2: S⊲ 〈ID c 〉 ds . Under the assumption of A2, using S2, R1 can be used to obtain S3: S | ≡ U | ∼ (ID c ).

ROR Model.
is paper follows the ROR (Random Oracles) model under the proof of security, and two participants U and S are mentioned in the paper. First, let H x U and H y S as the xth user and yth server, respectively. en, let U � H x U , H y S and A can perform the following operations. Execute(U): by executing this query, A can get the messages transmitted by U and S through the common channel. Send(U, M): with the help of send query, A can send messages to U and S. In addition, A can also receive response messages from two participants. Corrupt(U): with the help of this query, A can obtain the parameters information stored in the smart card as well as some temporary parameters information and long-term key. Hash(String): by performing this operation, A can obtain the value in the hash. Test(U): this operation is mainly used to verify whether the session key between the user and the server is secure. By tossing a homogeneous coin C, the result of the coin is known only to A. If C � 1, A can know the correct session key. If C � 0, a null value is an output.

Definition 1 (one-way anticollision hash function): this is a common mathematical function that inputs a variable length field and then produces a fixed length output. If Adv(m) � Pr[(m, n)ε R A; h(m) � h(n)] ≤ t for at most run time m, the hash function is considered hash collision proof.
Definition 2 Symmetric encryption method is used in the proposed protocol. Suppose E K 1 , E k 2 , . . . , E K n are encryption methods based on different keys K. In the model, the probability that A can crack the correct session key

Theorem 1. If A is a polynomial time η opponent executing our scheme under the ROR model and we choose to look at
Zipf's law [28] for the user's password, the possibility of A damaging the session key is Adv P send , t send /2 l + where l represents the length of the password.

Security Proof
Proof. In the proof process, we define six games GM 0 to GM 5 and prove the theorem mentioned above according to the defined six game rules. Succ GMi A (η) represents the probability of A ′ s success in the game. e specific proof is as follows. According to the birthday paradox, it can be concluded that the maximum probability of hash collision is t 2 hash /2 l+1 . erefore, it can be concluded that the maximum probability of hash collision of text transmitted by both sides of the session is (t send + t exe ) 2 /2 u . Finally, we can draw a conclusion |Pr [Succ GM2 hash /2 l+1 + (t send + t exe ) 2 /2 u . e symbol l appearing in the formula represents the length of the hash value and u represents the length of the transmitted text. GM 3 : on the basis of the above game rules, we added the provision that A can obtain the parameters information stored in the smart card in the new round of game, that is, A can obtain the parameters β c , y c , c c , DI D c by executing the Corrupt operation. On this basis, we perform an offline password guessing attack. First, A calculates α c � β c ⊕h(ID c ′ ⊕BRPW ′ ), U ′ s biological information R i are confidential to us, so they cannot be obtained. According to Zipf's law [28], we can draw a conclusion: |Pr[Succ GM3 send , t send /2 l . GM 4 : in this game rule, we analyze the security of the communication session key between both sides. We mainly analyze it from the following three aspects. e first is to prove that the protocol has perfect forward security. e second is to prove that A can block the user impersonation attacks. e third is that A can block the known session-specific temporary information attacks. Perfect forward security: A obtains the value of the long-term key ds through Corrupt.
Known session-specific temporary information attacks: A obtains the value of temporary information m or y c through Corrupt query. User impersonation attacks: A obtains the information DI D c , ω c .v c , T 1 transmitted by both communication parties through the public channel through Exe query, but U ′ s identity ID c is obtained by symmetric encryption with the long-term key ds. However, the value of the long-term key ds cannot be obtained. e session key SK � h(ID c ⊕α c ⊕y c ⊕T 1 ⊕T 2 ) of both communication parties: in the first case, A must obtain the values of α c and y c in order to obtain the session key, but the value of α c needs U ′ s biological information. In the second case, A obtains the value of temporary information, but U ′ s identity ID c is obtained through symmetric encryption. In the third case, because U ′ s identity ID c is obtained through symmetric encryption, A cannot obtain U ′ s real identity, so it is impossible to carry out simulated attacks. erefore, we can conclude that |Pr[Succ GM4 To sum up, we can get it according to the above formula: So, we come to the final conclusion Adv P

Informal Security Analysis.
In this section, we further show that the proposed scheme is secure against the following attacks.

Privileged-Insider Attack.
In this protocol, even if the attacker obtains the information DI D c , BRPW c of the user in the registration process and the information β c , c c , χ c , η c in the smart card, they cannot successfully obtain the session key. Because SK � h(ID c ⊕α c ⊕y c ⊕T 1 ⊕T 2 ) and the user's ID c is encrypted by ds before being transmitted to the server, even if the attacker obtains the value of DI D c and BRPW c , the attack is futile. erefore, this protocol can resist privileged-internal attacks.

Offline Password-Guessing Attacks.
Suppose the attacker gets the message in the smart card; then, based on this message, they can guess the password offline. Even if the η c value in the smart card is obtained and the values of ID c and PW c are guessed, the offline password-guessing operation cannot be successful. is is because the calculation of m also involves the value of the user's biological information R i , and the value of R i is difficult to obtain. erefore, this protocol can effectively resist offline password-guessing attacks.

Replay Attack.
Suppose that the malicious attacker intercepts the login information DI D c , ω c , ] c , T 1 and authentication information μ c , T 2 and attempts to replay the login request. e request is invalid because we use the timestamp T 1 in the protocol to verify whether the time difference is within the set time threshold. Similarly, if the attacker intercepts the authentication message and attempts to make the authentication request, the user will also test the validity of the timestamp. erefore, the protocol can effectively resist replay attacks.

Forward Secrecy.
Assuming that the attacker obtains the value of the long-term password ds, they can only use this value to decrypt DI D c to obtain the value of the user's ID c . However, because SK � h(ID c ⊕α c ⊕y c ⊕T 1 ⊕T 2 ), it is not Security and Communication Networks sufficient to only know the value of the user's ID c . e values of the parameters α c and y c cannot be obtained. erefore, this protocol can provide perfect forward security.

Known Session-Specific Temporary Information
Attacks. Assuming that the attacker obtains the value of temporary session information m or y c , the session key cannot be obtained successfully. Because the session key calculation is composed of ID c , but ID c is encrypted by long-term key ds, the ID c cannot be obtained by the attacker. erefore, this protocol can successfully resist known session-specific temporary information attacks.

User Impersonation Attacks.
Suppose that the attacker wants to carry out a user impersonation attack. ey must first obtain the value of ID c , but ID c is encrypted by the longterm key ds, and so, it is difficult for the attacker to obtain its value. In addition, assuming that the attacker intercepts the message DI D c , ω c , ] c , T 1 from the public channel and sends it to the server for verification, the user needs a certain amount of time to decrypt DI D c . erefore, when the server receives the message from the attacker for verification of the timestamp, it will find that the timestamp exceeds the set time domain and reject the login request. In this way, our protocol successfully resists user impersonation attacks.

Mutual Authentication.
In this protocol, users and servers can successfully authenticate each other. First of all, the server authenticates the user through the value of υ c sent by the user. Similarly, the user can verify whether the server is legitimate through the value of μ c sent by the server. Only legitimate users and servers can pass the authentication. erefore, this protocol can effectively provide mutual authentication between users and servers.

Security and Performance Comparisons
is section discusses the security and performance analysis of the proposed protocol. Security analysis is mainly conducted through a comparison with other proposed protocols in the resistance of some common attacks, and performance analysis is mainly performed through a comparison with the time and communication costs of other protocols.

Security Comparisons.
In this section, the protocol proposed in this study is compared with recent related protocols. Owing to the development of different types of attack technology and methods, previous protocols are now incapable of resisting some common attacks. At present, the common network attacks include A1: privileged-internal attack, A2: offline password-guessing attack, A3: replay attack, A4: perfect forward secrecy, A5: known sessionspecific temporary information attacks, and A6: user impersonation attacks. e comparison results are presented in Table 2. A "Yes" means that the protocol can resist the attack, whereas a "No" means that it cannot.
While the other related protocols each fail in some of the security attacks mentioned above, our proposed protocol can resist all the attacks, making our proposed protocol more secure and reliable.

Performance Comparisons.
To better analyze the performance of this protocol, we compared it with a previous protocol. To obtain more convincing results, we analyzed the protocol using the same tools and under the same conditions and used the data provided by Rana et al. [19] e results show that different protocols have different execution times in the same execution environment. e time required for the connection operation and the noncollision hash function was 0.00014 ms and 0.00089 ms, respectively. e time required for the exception and encryption and decryption operations was extremely small, and so, it was not calculated. In addition, the number of bits required for the user name, password, arbitrary number, and integer was 160; the number of bits required for the private key and public key of the server was 256; the number of bits required for encryption and decryption was 512; and, the number of bits required for the exclusive or operation and noncollision hash function was 160 and 256, respectively. e symbols for each encryption operation are as follows: T ‖ : time required for connection operation T ⊕ : time required for XOR operation T Enc/Dec : time required for encryption/decryption T h : time required for hash operation First, we compared the communication cost of our proposed protocol with that of previous protocols. In particular, our protocol was compared with those proposed by Rana et al. [19], Kaul and Awasthi [18], Khan et al. [31], Chang et al. [17], and Kumari et al. [16]. e communication overhead of our protocol is 3136 bits, whereas that of the protocols proposed by Rana et al. [19], Kaul and Awasthi [18], Khan et al. [31], Chang et al. [17], and Kumari et al. [16] are 3296, 2668, 3744, 2336, and 3296 bits, respectively. As shown in Figure 4, the communication cost of our protocol is lower than that of Rana et al. and Khan et al., but slightly higher than that of Kaul and Awasthi [18]. Although the communication cost of Chang et al. is small, the protocol proposed by them cannot effectively resist privilege internal attacks, offline password guessing attacks, and replay attacks. Next, we compare the running time cost of our proposed protocol with those of the three protocols mentioned above. e operating cost of our protocol is 0.01512 ms, whereas that of the protocols proposed by Rana et al. [19], Kaul and Awasthi [18], Khan et al. [31], Chang et al. [17], and Kumari et al. [16] are 0.0215 ms, 0.021 ms, 0.01965 ms, 0.01318 ms, and 0.02191 ms, respectively. As shown in Figure 5, the running time of our proposed protocol is shorter than that of the four protocols mentioned above. Although the time consumption of the protocol proposed by us is a little higher than that proposed by Chang et al., the protocol proposed by Chang et al. has the problem of security. It can be said that our protocol has better performance than the ones mentioned above.
rough the analysis of Tables 2 and 3, our protocol is slightly higher than Kaul and Awasthi's [18] protocol in terms of communication cost, but Kaul and Awasthi's [18] protocol cannot resist user simulation attacks. Because our proposed protocol can more effectively resist various security attacks, our protocol is more applicable in future works.

Conclusions
In this study, we analyzed the next generation Internet of ings remote protocol proposed by Rana et al., and found that their protocol cannot resist all kinds of security attacks as they claim. Specifically, we found that their protocols are vulnerable to offline password-guessing attacks and

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.